Imagine you work for practice and you have a patient call complaining that an employee has been accessing their patient account and giving personal information to a mutual acquaintance. You have started investigating the situation but have yet to come across any evidence that this has been happening.
Under HIPAA, how should this be handled?
Law
Under HIPAA, a person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with the Office of Civil Rights (OCR) a written complaint, either by paper or electronically. This complaint must be filed within 180 days of when the complainant knew or should have known that the act occurred (45 CFR 160.306 and 164.534). In addition, individuals have a right to file a complaint directly with the covered entity. Individuals should refer to the covered entity's notice of privacy practices (NPP) for how to file a complaint with the covered entity.
Included in the HIPAA Omnibus Notice of Privacy Practices form we have available in our forms section is the following language regarding complaints:
If you believe your privacy rights have been violated by us, you may file a complaint with us by notifying our Compliance Officer of your complaint. We will not retaliate against you for filing a complaint. You may also complain to us or to the Secretary of Health and Human Services.
We also have an HHS Privacy Complaint Form and a HIPAA Complaint and Resolution Form that are available to you in the forms section.
HCP Response
Based on the facts restated above in our opinion and this is by no means legal advice, under HIPAA the patient has a right to file a complaint with you. If oral, we recommend documenting the complaint using the HIPAA Complaint and Resolution Form. If the patient states they would like to file electronically with OCR, they may do so by sending an email to OCRComplaint@hhs.gov. Finally, if you haven't already, we recommend checking your Notice of Privacy Practices (NPP) form to see what language regarding complaints is included regarding a patient's right to file a complaint.
If you have any additional questions please do not hesitate to contact us.